+#Test 3: Attempt a resume after an HRR where PSK hash matches selected
+# ciperhsuite. Should see PSK on second ClientHello
+$proxy->clear();
+$proxy->clientflags("-sess_in ".$session);
+$proxy->serverflags("-curves P-256");
+$proxy->filter(undef);
+$proxy->start();
+#Check if the PSK is present in the second ClientHello
+my $ch2 = ${$proxy->message_list}[2];
+my $ch2seen = defined $ch2 && $ch2->mt() == TLSProxy::Message::MT_CLIENT_HELLO;
+my $pskseen = $ch2seen
+ && defined ${$ch2->{extension_data}}{TLSProxy::Message::EXT_PSK};
+ok($pskseen, "PSK hash matches");
+
+#Test 4: Attempt a resume after an HRR where PSK hash does not match selected
+# ciphersuite. Should not see PSK on second ClientHello
+$proxy->clear();
+$proxy->clientflags("-sess_in ".$session);
+$proxy->filter(\&modify_psk_filter);
+$proxy->serverflags("-curves P-256");
+$proxy->cipherc("TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384");
+$proxy->ciphers("TLS13-AES-256-GCM-SHA384");
+#We force an early failure because TLS Proxy doesn't actually support
+#TLS13-AES-256-GCM-SHA384. That doesn't matter for this test though.
+$testtype = ILLEGAL_EXT_SECOND_CH;
+$proxy->start();
+#Check if the PSK is present in the second ClientHello
+$ch2 = ${$proxy->message_list}[2];
+$ch2seen = defined $ch2 && $ch2->mt() == TLSProxy::Message::MT_CLIENT_HELLO;
+$pskseen = $ch2seen
+ && defined ${$ch2->extension_data}{TLSProxy::Message::EXT_PSK};
+ok($ch2seen && !$pskseen, "PSK hash does not match");
+
+